Solved: Re: Per-Device Identity PSK

Jonathan Grim · ‎03-28-2018

Is there a recommended ISE configuration for per-device Identity PSK at large scale?

I'm working on a wireless ISE design. It will entail numerous consumer and IoT devices in a university setting. The consumer and IoT devices are managed by individuals, not centrally. An individual might have multiple devices.

If a recommended configuration doesn't exist, I spot-tested the following configuration in my lab:

For the endpoint, create a custom attribute for the device's PSK. (psk=<unique key>)
Create a new Authorization Profile.
Within the Authorization Profile, create two advanced attributes:
1. Cisco:cisco-av-pair = psk-mode=ascii
2. Cisco:cisco-av-pair = Endpoints:<custom endpoint attribute>
Create a new Authorization Policy with appropriate match conditions.
Assign newly created Authorization Profile as the result.

The university would have to create a custom device registration portal. The portal would generate one unique PSK for the student, and register the MAC address of the IoT device. The ISE ERS API could be used to bulk create/update the endpoints on ISE as a scheduled job.

hslai · ‎03-28-2018

ISE 2.2+ is supporting custom endpoint attributes in authorization profiles. What you have is pretty much the same as recommended.

Please note a know issue -- CSCvd40908

View solution in original post

hslai · ‎03-28-2018

ISE 2.2+ is supporting custom endpoint attributes in authorization profiles. What you have is pretty much the same as recommended.

Please note a know issue -- CSCvd40908

Jason Kunst · ‎03-29-2018

Very nice, if you have anymore information on how you setup your controller, some screenshots and more detail to share that will help others!

Jonathan Grim · ‎03-29-2018

I can certainly add screen shots of WLC and ISE.

Quick question... In My Devices Portal, is there a way to add custom fields to the portal, and link it to an endpoint custom attribute? Thanks!

Jason Kunst · ‎03-29-2018

There is not, please reach out thru sales channel to our PM that is covering this feature, his name is Ameet Kulkarni

Craig Hyps · ‎03-30-2018

Yes, that is the method we tested internally using custom attribute. I can share config used, but it is essentially what is shown above.

There is no option with current My Devices to populate custom attributes. We are well aware of the potential but cannot discuss roadmap in this forum. Customers/account team can reach out directly to account team to solicit additional details. It is certainly possible to customize custom attributes using ERS API, either directly or part of a custom portal to populate the required values per endpoint. We have other customers doing this already.

prashantk · ‎07-31-2018

Pls share the more details document for configuration of per user/per device conf.

so that we can configure it, in our network as well.

Its a nice option.

Craig Hyps · ‎08-01-2018

Snippet of config is shared in BRKSEC-3697 session from Cisco Live here.

We also received Community post with sample config details here.